smtp STARTTLS not working when traffic goes through IPsec tunnel
-
I have a remote site and a main site connected through an IPsec VTI tunnel. All subnets from each site have static routes to each other so everything is working just fine in terms of devices from one site reaching the other. I have one Linux docker container from the remote site that has all its Internet traffic (outbound/inbound using policy-based routing) routed through the tunnel -> to the main site -> out to the Internet. Everything is working fine except for when relaying emails with TLS encryption to gmail.
With the remote site device routing to the main site, here's what I get in python:
>>> from smtplib import SMTP >>> user="username redacted" >>> pw="password redacted" >>> server = SMTP('smtp.gmail.com', 587) >>> server.set_debuglevel(1) >>> server.ehlo() send: 'ehlo [192.168.20.101]\r\n' reply: b'250-smtp.gmail.com at your service, [ip address redacted]\r\n' reply: b'250-SIZE 35882577\r\n' reply: b'250-8BITMIME\r\n' reply: b'250-STARTTLS\r\n' reply: b'250-ENHANCEDSTATUSCODES\r\n' reply: b'250-PIPELINING\r\n' reply: b'250-CHUNKING\r\n' reply: b'250 SMTPUTF8\r\n' reply: retcode (250); Msg: b'smtp.gmail.com at your service, [ip address redacted]\nSIZE 35882577\n8BITMIME\nSTARTTLS\nENHANCEDSTATUSCODES\nPIPELINING\nCHUNKING\nSMTPUTF8' (250, b'smtp.gmail.com at your service, [ip address redacted]\nSIZE 35882577\n8BITMIME\nSTARTTLS\nENHANCEDSTATUSCODES\nPIPELINING\nCHUNKING\nSMTPUTF8') >>> server.starttls() send: 'STARTTLS\r\n' reply: b'220 2.0.0 Ready to start TLS\r\n' reply: retcode (220); Msg: b'2.0.0 Ready to start TLS' server.login(user,pw) server.sendmail(user, user, "test") server.quit()
Look how the prompt never returns after the "Ready to start TLS" reply from the gmail server.
When I remove the policy-based route, so the remote site device using the default gateway of the remote site pfsense router (no tunneling), it's working correctly like so:
>>> from smtplib import SMTP >>> user="redacted" >>> pw="redacted" >>> server = SMTP('smtp.gmail.com', 587) >>> server.set_debuglevel(1) >>> server.ehlo() send: 'ehlo [192.168.20.101]\r\n' reply: b'250-smtp.gmail.com at your service, [redacted]\r\n' reply: b'250-SIZE 35882577\r\n' reply: b'250-8BITMIME\r\n' reply: b'250-STARTTLS\r\n' reply: b'250-ENHANCEDSTATUSCODES\r\n' reply: b'250-PIPELINING\r\n' reply: b'250-CHUNKING\r\n' reply: b'250 SMTPUTF8\r\n' reply: retcode (250); Msg: b'smtp.gmail.com at your service, [redacted]\nSIZE 35882577\n8BITMIME\nSTARTTLS\nENHANCEDSTATUSCODES\nPIPELINING\nCHUNKING\nSMTPUTF8' (250, b'smtp.gmail.com at your service, [redacted]\nSIZE 35882577\n8BITMIME\nSTARTTLS\nENHANCEDSTATUSCODES\nPIPELINING\nCHUNKING\nSMTPUTF8') >>> server.starttls() send: 'STARTTLS\r\n' reply: b'220 2.0.0 Ready to start TLS\r\n' reply: retcode (220); Msg: b'2.0.0 Ready to start TLS' (220, b'2.0.0 Ready to start TLS') >>> server.login(user,pw) send: 'ehlo [192.168.20.101]\r\n' reply: b'250-smtp.gmail.com at your service, [redacted]\r\n' reply: b'250-SIZE 35882577\r\n' reply: b'250-8BITMIME\r\n' reply: b'250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH\r\n' reply: b'250-ENHANCEDSTATUSCODES\r\n' reply: b'250-PIPELINING\r\n' reply: b'250-CHUNKING\r\n' reply: b'250 SMTPUTF8\r\n' reply: retcode (250); Msg: b'smtp.gmail.com at your service, [redacted]\nSIZE 35882577\n8BITMIME\nAUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH\nENHANCEDSTATUSCODES\nPIPELINING\nCHUNKING\nSMTPUTF8' send: 'AUTH PLAIN AGtldmluZGQ5OTIwMDJAZ21haWwuY29tAERyZWFtY2FzdDA5MjExOTg3\r\n' reply: b'235 2.7.0 Accepted\r\n' reply: retcode (235); Msg: b'2.7.0 Accepted' (235, b'2.7.0 Accepted') >>> server.sendmail(user, user, "test") send: 'mail FROM:<kevindd992002@gmail.com> size=4\r\n' reply: b'250 2.1.0 OK gf23sm6846481pjb.48 - gsmtp\r\n' reply: retcode (250); Msg: b'2.1.0 OK gf23sm6846481pjb.48 - gsmtp' send: 'rcpt TO:<kevindd992002@gmail.com>\r\n' reply: b'250 2.1.5 OK gf23sm6846481pjb.48 - gsmtp\r\n' reply: retcode (250); Msg: b'2.1.5 OK gf23sm6846481pjb.48 - gsmtp' send: 'data\r\n' reply: b'354 Go ahead gf23sm6846481pjb.48 - gsmtp\r\n' reply: retcode (354); Msg: b'Go ahead gf23sm6846481pjb.48 - gsmtp' data: (354, b'Go ahead gf23sm6846481pjb.48 - gsmtp') send: b'test\r\n.\r\n' reply: b'250 2.0.0 OK 1610368675 gf23sm6846481pjb.48 - gsmtp\r\n' reply: retcode (250); Msg: b'2.0.0 OK 1610368675 gf23sm6846481pjb.48 - gsmtp' data: (250, b'2.0.0 OK 1610368675 gf23sm6846481pjb.48 - gsmtp') {} >>> server.quit() send: 'quit\r\n' reply: b'221 2.0.0 closing connection gf23sm6846481pjb.48 - gsmtp\r\n' reply: retcode (221); Msg: b'2.0.0 closing connection gf23sm6846481pjb.48 - gsmtp' (221, b'2.0.0 closing connection gf23sm6846481pjb.48 - gsmtp')
What is going on here? I don't think TLS breaks when routed through an IPsec tunnel because I can browse HTTPS websites just fine. Any thoughts?